Posts Tagged ‘release’

prads-0.3.2: ya skipped that one

Monday, November 5th, 2012

Ever since HACK.LU (where we spoke about VSF), Ebf0 and I have had quite some activity on PRADS, wonder why?

We really enjoyed the design of POM-NG, we find this little program quite inspiring and will keep in touch with GMsoft.

This might be the right time to announce PRADS-me! at, a service to actively fingerprint your own self. Real useful even just for an IP check, geolocation or to see what types of fingerprints you are matching at any given time.

Some of you might recall that PRADS was the subject of a Masters thesis in 2011: “Investigating Passive Operating System Detection” by Petter Bjerke Falch from UiO. Well, it’s happened again.

Jostein Haukeli at the University of Oslo Department of Informatics has written a paper on “False positive reduction through IDS network awareness”. We are excited about the prospect that our work is being used in data correlation, and we would like to see more event correlation stuff done in a scalable context.

Last year PRADS was a featured ip6-ready tool at the ISC.
Furthermore, in July this year PRADS was included in OSSIM, the Open Source SIEM

In other news, PRADS is about to be baked into the next release of the Security Onion network monitoring linux distro. Version 12.04 beta already comes with PRADS included (replacing old-timers sancp and pads) but it did require some bug-squashing from our end. You know what that means? 0.3.2-rc1 was tagged in the tree recently. That’s right: a new PRADS release is coming up Real Soon Now.

CPM 0.25 :: new packages

Wednesday, September 15th, 2010

sup peeps,
your favorite password managment program, CPM, now has updated packages.
What’s new in these packages is a working create-cpmdb. A fix for setting the SUID bit is also included, and that will allow CPM to store passwords securely in memory as well as on disk.

Ubuntu and Debian users:
Get cpm_0.25~beta-2debian3_amd64.deb directly from github.

I have also taken the opportunity to update the documentation, which will allow you to roll your own CPM should you be running something other than debian.

Quick start:

me@mine:~# apt-get install libcdk5 libcrack2 libdotconf1.0 libgpg-error0 libgpgme11 libncursesw5 libxml2 libxml2-utils zlib1g
me@mine:~# dpkg -i cpm_0.25~beta-2debian3_amd64.deb

You need: a GPG key and 3 minutes of your time. Create the password database (only once):

me@mine:~$ create-cpmdb

Use your GPG key to encrypt the database. This puts a .cpmdb file in your home folder.

Run CPM and add your passwords! Exit by hitting ESC to save the keys.

me@mine:~$ cpm

and you have a working CPM install.

Furthermore, I have devised a way for many people to share the same passoword database through a revision control system. Take a look at CPM::revision control.

CPM: Reliable multiuser password management

Monday, August 2nd, 2010

Sup all,
summer is drawing to a close and vacation is definitely over, but I for one welcome the chance to think and act again. Some time ago our managed services department started complaining about various shoddy password management solutions. Truth be told we already had a good solution, CPM (“Console Password Management”) but the software had fallen into disrepair due to seldom and untidy updates from its author. A new maintainer was desired and a project to fix the software was decreed and the result fell into my lap so to speak.

What sets CPM apart from other password management solutions is that it supports multiple users and goes to great lengths to keep your passwords secure while at the same time being very simple in its design: CPM locks its XML-formatted hierarchical password database in non-swappable private memory (so your passwords don’t get written in cleartext to disk while swapping), and encrypts the database with an arbitrary amount of GnuPG public keys.

All this makes CPM quite nice for storing and sharing secrets in a nice curses-based searchable console interface.

For the longest time I’ve been keeping the hundred-odd passwords I can’t remember on notepads and in random text files, thinking that surely I should start employing some sort of password management before I go crazy or my passwords leak. The congruence of my wishes with the scope of this project, so I picked up CPM and gave it a little love, and the result can be found at

GitHub CPM with CPM packages for debian in the downloads section.

CPM crash course

Requirements: Gnu Privacy Guard, and a GPG keypair.

First, install CPM:

dpkg -i cpm_0.25~beta-2debian2_amd64.deb

Then, create a password database, adding your key to the recipient list when prompted.


Then, use CPM from the console:


CPM should now ask you for you GPG key password and display an empty database.

CPM is controlled with the arrow keys, Enter and some control keys.
Hitting Control-H will bring you to the Help screen which explains the control keys.

By default CPM organises your passwords in a structure of hosts that have several services which may have one or more users. Hosts, services, users and passwords are nodes in the tree and a node is added by hitting Control-A and given an appropriate name.

For instance, if I were to add a password ch1ckens0up to user lolarun on the wiki service of host, I would create the following node structure:

Of course there is no need to follow this anal layout, and you may even change the node structure by editing the template names in CPM by hitting Control-N or modifying the /etc/cpmrc config file.

To have CPM generate a random password for you, hit Control-P.
Your changes are not saved unless you hit Control-W or quit the program by hitting ESC enough times. Quitting through Control-C will not save the database.

Future work includes pushing the package into Debian.

What you don’t get (yet) is a GTK-based GUI, or a wrapper to pull the password database out of GIT and commit it again after modification nor integration with gpg-agent, probably (?) due to a bug in gpgme.

Enjoy this lovely piece of software and leave a comment after testing it!

PRADS 0.2.0 hits release

Monday, June 21st, 2010

PRADS – the Passive Realtime Asset Detection System has reached release with codename: “our two cents”.

It’s been far too long since last release and many things have happened that we thought we would share with you.
First off, PRADS has been rebuilt from scratch to handle high throughput and should work nicely on those fat pipes out there. This means it operates a little differently on the command line.
Our tool is now quite easy to use and has support for many more signature methods.

Changelog for prads 0.2.0-1
* PRADS release 0.2.0
* SYN,SYNACK,ACK,FIN,RST, IPv6, service, client, UDP, ICMP, ARP support
* added and fixed many signatures
* log to prads-asset.log
* eat pcaps (-r file.pcap)
* dump statistics on exit
* wirefuzz script
* prads2snort and other fun tools
* better IPv6 support
* better OS guessing
* awesome memory usage and stability
* l337 optimizations for high thruput
* code refactoring, cleanups & bugfixes and more

Quick start:
root@machine# prads -D
[*] Running prads 0.2.0
[*] Using libpcap version 1.1.1
[*] Using PCRE version 7.8 2008-09-05
[*] OS checks enabled: SYN SYNACK RST FIN ACK
[*] Service checks enabled: TCP-SERVER TCP-CLIENT UDP-SERVICES ARP
[*] Device: eth0
[*] Daemonizing...

To see the raw asset log file:

root@machine# tail -f /var/log/prads-asset.log
asset,vlan,port,proto,service,[service-info],distance,discovered,0,1268,6,ACK,[65392:118:1:0:.:A:Windows:XP],10,1277044697,0,56393,6,ACK,[16425:114:1:0:.:A:Windows:XP],14,1277044697,0,38359,6,SYN,[S4:64:1:60:M1460,S,T,N,W7:.:Linux:2.6 (newer, 7):link:ethernet/modem:uptime:2630hrs],0,1277044698,0,48065,6,ACK,[54:64:1:0:N,N,T:ZAT:Linux:2.6:uptime:2630hrs],0,1277044697,0,55834,6,ACK,[33069:48:1:0:N,N,T:AT:Linux:2.4(newer)/2.6:uptime:307hrs],16,1277044697,0,48747,6,ACK,[259:114:1:0:N,N,T:AT:unknown:unknown:uptime:20hrs],14,1277044697

Remember that ACK mode is and always will be rather unreliable.

To get a better view of the detected systems, run the following command:

prads-asset-report | less
13 ------------------------------------------------------
OS: Windows Server 2008 (R2 Standard 64-bit) (60%) 1
104 -----------------------------------------------------
OS: Linux 2.6 (newer, 7) (100%) 3
MAC(s): 00:DE:AD:BE:EF:2F (2010/06/20 16:39:00)

Port Service TCP-Application
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
80 CLIENT @www
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
443 CLIENT TLS 1.0 Client Hello
443 CLIENT TLS 1.0 Client Hello
3218 CLIENT rtorrent/0.8.6/0.12.6
6667 CLIENT @irc
6667 CLIENT @irc
6667 CLIENT SSL 2.0 Client Hello
50005 SERVER Bittorrent
50005 SERVER Bittorrent

Port Service UDP-Application
53 CLIENT @domain
53 CLIENT @domain
123 CLIENT @ntp

105 ------------------------------------------------------


Packages are available for debian and ubuntu, for everyone else there is source.
Get PRADS now!

Report issues and feature requests to:

For suggestions, help, contributions and general banter go to the PRADS mailing list.

EDD DoS detection and DLD

Friday, April 16th, 2010

Hi all,
a short note about the Norwegian data surveillance directive that is up for passage into law these days. This directive, “Datalagringsdirektivet”, is the single most harmful threat to the general public’s privacy while being completely ineffective at stopping the bad guys it’s meant to target. Protests last Saturday in front of the parlimentary building – which yours truly attended – featured politicians and individuals from all ends of the political spectrum. Read more on Stopp DLD.

On to other things,

getting DDoSed sucks, as some of my collegues found out recently. Wouldn’t it be great if we could detect DDoSes as they come in through the wire? I mean besides when all of nagios goes code red upon us?

Well, I’ve written the little program that could. It’s not quite there yet (too few hours in the day) but the basic principles are fleshed out, and they go a little something like this:

There is a mathematical and a physical notion of entropy. To put it bluntly, it’s the shortest representation of a given piece of information. There’s a theorem that states that if you get many messages, but the messages put together don’t amount to much, then probably someone is fugging with you. We can use this to detect anomalies in network traffic, too.

This theorem about entropy is what EDD, the Entropy Distributed Denial of Service Detector [tarball] uses to classify a packet stream as bollocks, or not.

EDD is still pre-alfa software, which means that it’s a little too simplistic to tell you anything beyond a mere “Something’s up”, but I’d like you to test it in your setups with the understanding that the program.

commit bc2f4df34745e4c422a17e70aac271bc930b9f1a
Author: Kacper Wysocki
Date: Fri Apr 16 18:18:37 2010 +0200

EDD now classifies simple SYN floods successfully.

* faster and simpler simple_entropy
* reads from pcaps (-r)
* configurable treshold (-e)
* configurable window size (-w)
* profile counting (-t)
* edd self-tests (-E)
* better TODO ideas

Try it out and let me now, and send me pcaps of your DDoS and false positives.

bifrost virtual appliance

Monday, April 12th, 2010

I’ve just released a Virtual Appliance for Bifrost 1.2 to ease deployment of Bifrost, the single-print-queue system.

This should make it easier to give Bifrost a go in your organization. Read more on the Bifrost Virtual Appliance page.

the right way to use disk space? virtually, of course!

Monday, December 14th, 2009

I might have mentioned agedu before, a nice tool to find your least useful and ready-to-be-deleted files real quick.

Sucks when the only files you have are rather large ones that you can’t throw out, like virtual system images which can easily become more than a few gigs heavy.

Disk is cheap you say (again) and I will protest loudly; disk is not cheap for your laptop, it is not cheap for your high-performance platter server, it is not cheap for the environment and it’s ridiculous what kind of wasteful behavior the “hey, it’s cheap” mentality promotes, not all of which relates to computers (think garbage, cars, food, wars, lives…)

Regardless, if you are using KVM there is a way to save disk space, speed up disk accesses and maybe even save the environment a little: kvm ships with a little tool called kvm-img (if you’re using QEMU then it’s qemu-img), and support for a copy-on-write storage format called QCOW2.

The qcow2 format is cool because it supports compression and encryption.

Compress your images

If you cared about disk before, you could untick the “allocate all space now” and save a couple gigs on a 10G disk image, but that wouldn’t last long and you’d hear people grumble about disk corruption and such (corruption that I have never ever seen, I might interject), but now you can compress and rebase your image. Here’s how I saved 20G on my disk:

To convert your raw image to qcow2 you would do:

kvm-img convert -c -f raw -O qcow2 $IN ${IN%.img}_base.qcow2

where $IN is your existing image and ${IN%.img}_base.qcow2 is going to be the name of your new qcow2 image. If you have NADA space left, convert into tmpfs (make sure tmpfs is mounted with sufficient size), remove the raw image and copy the new image out of tmpfs. That’ll free up some space.


But why stop there? I mentioned rebasing, and rebase we shall.
The qcow2 format it is a little less cool for introducing really sucky snapshotting support, as applying and creating snapshots with kvm-img takes hours and is likely to fail! I don’t recommend trying kvm-img snapshot -c foo.qcow2
However, the copy-on-write functionality of qcow2 lets us implement functional faux snapshotting with little effort.

Copy-on-write means we can create an image sliver that only stores the changes from some read-only base image. Even better, we can layer these slivers! So, with the script I’ll introduce in a second, we can:

  1. Create or convert into a compressed base image. Name it foo_base.qcow2, eg “debian_squeeze_base.qcow2″. This is the master base, ideally made right after installing the operating system or whatevr.
  2. Create a usable sliver to store new data into: kvm-img create -b debian_squeeze_base.qcow2 squeeze_today.qcow2
  3. If you are using libvirt, update your /etc/libvirt/qemu/.xml disk source file to point to the ‘today’ image, and restart the libvirt daemon and virt-manager, to catch on to the changes
  4. To create a faux snapshot, just move the today image and rebase it like in step 2.
  5. To revert a faux snapshot, just replace today’s image with the snapshot.

And here is my rebase script:

kwy@amaeth:/var/lib/libvirt/images$ cat 

if [ ! -f $BASE ]
if [ ! -f $BASE ]
   echo "No base image $BASE"
REBASE=${BASE%.qcow2}_`date +%F`.qcow2
if [ -n "$2" ] 
kvm-img create -f qcow2 -b $REBASE $BASE
kvm-img info $BASE 
kvm-img info $REBASE

echo "$BASE -> $REBASE"


  • It takes 2 seconds to rebase and restore as opposed to 1 minute vmware snapshot or 4 hours to snapshot with qcow2
  • you don’t need fancy RAID or LVM tricks
  • You save space as opposed to shitty qcow2 snapshots and raw image copies
  • you can keep several versions or patchlevels of an operating system, and several application groups on the same operating system without having to reinstall the system – you already have a base image you can use!


The experience should be pretty stable, but there is always room to shoot yourself in the foot. Here are a couple of ways you can make it hard for yourself:

  • don’t run out of disk space – it will corrupt your open images, regardless of format
  • don’t modify a base image that another image depends upon.
    Your base image knows nothing about its children (newer snapshots and ‘today’ images), so modifying the base image will cause all its children to corrupt into weirdness. That’s why the base image is “read only” and should be named appropriately.
  • don’t go down under the stairs!
  • don’t do stuff you don’t understand!
  • don’t tell me this ain’t new, cause I know!

kernel coolness, finally!

Thursday, November 5th, 2009

Many things worth blogging about are happening lately! In fact, so many things that there is not enough time to blog about them. Ah, where to begin!

Quickly now:


Ebf0 and myself had a lecture about our fine host detection application at Dagen@IFI (Institute for informatics, UiO). Presentation available here, at least until we upload it to the project website.

We now know that our Proof of Concept is k00l and Ebf has started the high-performance C implementation.

Kernel hacks

Did you know you’re missing out on cool kernel features? Well, yes you are. Here are some of them:

  • grsecurity : Better security in linux! Fixes thousands of attack vectors for desktops and servers alike
  • compcache: compressed memory swap might sound counter intuitive, but memory is lightning fast compared to disk, and you can cram more apps into compressed memory!
  • nilfs: Every wished you hadn’t deleted that file 5 seconds ago? Or wasted an hour waiting for a fsck? Log structured file systems scream write performance. And NILFS aids in data recovery too, as it’ll take automatic snapshots of your data every synchronous write. Very sweet.
  • reiser4: Don’t get me started. This is still not reached mainline. Hans be damned. However, reiser4 is still the fastest file system around.
  • ++++ low-latency, preemptible, tickless system, loads of hardware support and lots more!

The upshot?

The -lied patchset is back!

I now track Ubuntu karmic git and I provide i686 packages:

Add the following to your /etc/apt/sources.list :

deb ./

then install the package:

# add the archive key:

gpg --recv-key 089ac586 && gpg --armor --export 089ac586 | sudo apt-key add -

# update package database:

sudo apt-get update

# install the kernel package

sudo apt-get install linux-image-

# check grub or lilo and then reboot into the kernel!

amd64 binaries are coming as soon as I get a chance to compile them. For now grab the karmic git, the patchset and .config and roll your own :-)

What else?

Bifrost is coming along, and might be close to a release soon, and

Multiframe needs a new client release (which I am w0rking on)

oh and I’ve made an

auto-migrate from ISC dhcpd to dnsmasq by script

…with my quick and dirty perl f00 :

Be mindful that it is best for those with a lot of host definitions, and does not support all the ISC syntax out there.

The script is interesting because it consicely illustrates how to make a simple but powerful parser with the minimal amount of lines (and fuss) using the AND-OR Waterfall method.

Honk and Drop me a comment if you like / hate / fake it~!

xtend your battery so y ou can GO ALL NITE

Monday, September 14th, 2009

K3ep going all n1te just like all that sp4m c0ming in through your mailbox.10 watts, it's a new record!

10 watts, it's a new record!

From joke to revolver as we say, I’ve noted that many of you find hacking away from power sources quite useful. Here’s how to keep at it longer with low power.


cross-reference like CSI

Friday, March 27th, 2009

I was watching The Mentalist the other night and during the course of a murder investigation they ask the cute geeky cop to “cross-reference” the list of people with brown cars with the list of buyers of a specific toothpaste brand.

She brings up a fancy display of two lists and punches the keyboard a few times, and suddenly a couple of entries in the list are highlighted – the murder suspects. So without further ado I bring you this ultimate crime-fighting tool:

(link updated)
Usage: Download; mv bin/crossref; chmod +x bin/crossref; crossref list1 list2

If you’re on windows you’ll need ActivePerl or Strawberry Perl.

It may not have any fancy graphics, but it’ll get the job done and hey – this isn’t a TV series.